Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

💻 🔑 ssh-agent for TPMs

License

NotificationsYou must be signed in to change notification settings

Foxboron/ssh-tpm-agent

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

95 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

ssh-tpm-agent is a ssh-agent compatible agent that allows keys to be createdby the Trusted Platform Module (TPM) for authentication towards ssh servers.

TPM sealed keys are private keys created inside the Trusted Platform Module(TPM) and sealed in.tpm suffixed files. They are bound to the hardware theywhere produced on and can't be transferred to other machines.

This allows one to utilize a native client instead of having to side loadexisting PKCS11 libraries into the ssh-agent and/or ssh client.

Features

  • A workingssh-agent.
  • Create sealed ssh keys on the TPM.
  • PIN support, dictionary attacks protection from the TPM allows users to use low entropy PINs instead of passphrases.
  • TPM session encryption.
  • Proxy support towards otherssh-agent servers for fallbacks.

SWTPM support

Instead of utilizing the TPM directly, you can use--swtpm orexport SSH_TPM_AGENT_SWTPM=1 to create a identity backed byswtpm which will be stored under/var/tmp/ssh-tpm-agent.

Note thatswtpm provides no security properties and should only be used fortesting.

Installation

The simplest way of installing this plugin is by running the follow go command.

go install github.com/foxboron/ssh-tpm-agent/cmd/...@latest

Alternatively download thepre-built binaries.

Usage

# Create key$ ssh-tpm-keygenGenerating a sealed public/private ecdsa key pair.Enter filein which to save the key (/home/fox/.ssh/id_ecdsa):Enter pin (emptyfor no pin):Enter same pin again:Your identification has been savedin /home/fox/.ssh/id_ecdsa.tpmYour public key has been savedin /home/fox/.ssh/id_ecdsa.pubThe key fingerprint is:SHA256:NCMJJ2La+q5tGcngQUQvEOJP3gPH8bMP98wJOEMV564The key's randomart image is the color of television, tuned to a dead channel.$ cat /home/fox/.ssh/id_ecdsa.pubecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOTOsMXyjTc1wiQSKhRiNhKFsHJNLzLk2r4foXPLQYKR0tuXIBMTQuMmc7OiTgNMvIjMrcb9adgGdT3s+GkNi1g=# Using the socket$ ssh-tpm-agent -l /var/tmp/tpm.sock$ export SSH_AUTH_SOCK="/var/tmp/tpm.sock" ssh git@github.com

Import existing key

Usefull if you want to back up the key to a remote secure storage whil using the key day-to-day from the TPM.

// Create a key, or use an existing one$ ssh-keygen -t ecdsa -f id_ecdsaGenerating public/private ecdsa key pair.Enter passphrase (emptyfor no passphrase):Enter same passphrase again:Your identification has been savedin id_ecdsaYour public key has been savedin id_ecdsa.pubThe key fingerprint is:SHA256:bDn2EpX6XRX5ADXQSuTq+uUyia/eV3Z6MW+UtxjnXvU fox@frameworkThe key's randomart image is:+---[ECDSA 256]---+|           .+=o..||           o. oo.||          o... .o||       . + ..  ..||        S .   . o||       o * . oo=*||        ..+.oo=+E||        .++o...o=||       .++++. .+ |+----[SHA256]-----+// Import the key$ ssh-tpm-keygen --import id_ecdsaSealing an existing public/private ecdsa key pair.Enter pin (empty for no pin):Confirm pin:Your identification has been saved in id_ecdsa.tpmThe key fingerprint is:SHA256:bDn2EpX6XRX5ADXQSuTq+uUyia/eV3Z6MW+UtxjnXvUThe key's randomart image is the color of television, tuned to a dead channel.

Install user service

Socket activated services allows you to startssh-tpm-agent when it's needed by your system.

# Using the socket$ ssh-tpm-agent --install-user-unitsInstalled /home/fox/.config/systemd/user/ssh-tpm-agent.socketInstalled /home/fox/.config/systemd/user/ssh-tpm-agent.serviceEnable with: systemctl --userenable --now ssh-tpm-agent.socket$ systemctl --userenable --now ssh-tpm-agent.socket$export SSH_AUTH_SOCK="/run/user/$(id -u)/ssh-tpm-agent.sock" ssh git@github.com

Proxy support

// Start the usual ssh-agent$ eval $(ssh-agent)// Create a strong RSA key$ ssh-keygen -t rsa -b 4096 -f id_rsa -C ssh-agent...The key fingerprint is:SHA256:zLSeyU/6NKHGEvyZLA866S1jGqwdwdAxRFff8Z2N1i0 ssh-agent$ ssh-add id_rsaIdentity added: id_rsa (ssh-agent)// Print looonnggg key$ ssh-add -Lssh-rsa AAAAB3NzaC1yc[...]8TWynQ== ssh-agent// Create key on the TPM$ ssh-tpm-keygen -C ssh-tpm-agentGenerating a sealed public/private ecdsa key pair.Enter file in which to save the key (/home/fox/.ssh/id_ecdsa):Enter pin (empty for no pin):Confirm pin:Your identification has been saved in /home/fox/.ssh/id_ecdsa.tpmYour public key has been saved in /home/fox/.ssh/id_ecdsa.pubThe key fingerprint is:SHA256:PoQyuzOpEBLqT+xtP0dnvyBVL6UQTiQeCWN/EXIxPOoThe key's randomart image is the color of television, tuned to a dead channel.// Start ssh-tpm-agent with a proxy socket$ ssh-tpm-agent -A "${SSH_AUTH_SOCK}" &$ export SSH_AUTH_SOCK="$(ssh-tpm-agent --print-socket)"// ssh-tpm-agent is proxying the keys from ssh-agent$ ssh-add -Lssh-rsa AAAAB3NzaC1yc[...]8TWynQ== ssh-agentecdsa-sha2-nistp256 AAAAE2VjZHNhLXNo[...]q4whro= ssh-tpm-agent

ssh-tpm-add

$ ssh-tpm-agent --no-load &2023/08/12 13:40:50 Listening on /run/user/1000/ssh-tpm-agent.sock$ export SSH_AUTH_SOCK="$(ssh-tpm-agent --print-socket)"$ ssh-add -LThe agent has no identities.$ ssh-tpm-add $HOME/.ssh/id_ecdsa.tpmIdentity added: /home/user/.ssh/id_ecdsa.tpm$ ssh-add -Lecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJCxqisGa9IUNh4Ik3kwihrDouxP7S5Oun2hnzTvFwktszaibJruKLJMxHqVYnNwKD9DegCNwUN1qXCI/UOwaSY= test

ssh-tpm-hostkey

ssh-tpm-agent also supports storing host keys inside the TPM.

$ sudo ssh-tpm-keygen -A2023/09/03 17:03:08 INFO Generating new ECDSA host key2023/09/03 17:03:08 INFO Wrote /etc/ssh/ssh_tpm_host_ecdsa_key.tpm2023/09/03 17:03:08 INFO Generating new RSA host key2023/09/03 17:03:15 INFO Wrote /etc/ssh/ssh_tpm_host_rsa_key.tpm$ sudo ssh-tpm-hostkeys --install-system-unitsInstalled /usr/lib/systemd/system/ssh-tpm-agent.serviceInstalled /usr/lib/systemd/system/ssh-tpm-agent.socketInstalled /usr/lib/systemd/system/ssh-tpm-genkeys.serviceEnable with: systemctl enable --now ssh-tpm-agent.socket$ sudo ssh-tpm-hostkeys --install-sshd-configInstalled /etc/ssh/sshd_config.d/10-ssh-tpm-agent.confRestart sshd: systemd restart sshd$ systemctl enable --now ssh-tpm-agent.socket$ systemd restart sshd$ sudo ssh-tpm-hostkeysecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCLDH2xMDIGb26Q3Fa/kZDuPvzLzfAH6CkNs0wlaY2AaiZT2qJkWI05lMDm+mf+wmDhhgQlkJAHmyqgzYNwqWY0= root@frameworkssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAoMPsv5tEpTDFw34ltkF45dTHAPl4aLu6HigBkNnIzsuWqJxhjN6JK3vaV3eXBzy8/UJxo/R0Ml9/DRzFK8cccdIRT1KQtg8xIikRReZ0usdeqTC+wLpW/KQqgBLZ1PphRINxABWReqlnbtPVBfj6wKlCVNLEuTfzi1oAMj3KXOBDcTTB2UBLcwvTFg6YnbTjrpxY83Y+3QIZNPwYqd7r6k+e/ncUl4zgCvvxhoojGxEM3pjQIaZ0Him0yT6OGmCGFa7XIRKxwBSv9HtyHf5psgI+X5A2NV2JW2xeLhV2K1+UXmKW4aXjBWKSO08lPSWZ6/5jQTGN1Jg3fLQKSe7f root@framework$ ssh-keyscan -t ecdsa localhost# localhost:22 SSH-2.0-OpenSSH_9.4localhost ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCLDH2xMDIGb26Q3Fa/kZDuPvzLzfAH6CkNs0wlaY2AaiZT2qJkWI05lMDm+mf+wmDhhgQlkJAHmyqgzYNwqWY0=

Note: sshd seems to be a bit flakey when it decides to sign withSHA256 orSHA512, so your mileage might vary. OnlySHA256 is supported byssh-tpm-agent.

ssh-config

It is possible to use the public keys created byssh-tpm-keygen inside sshconfigurations.

The below example usesssh-tpm-agent and also passes the public key to ensurenot all identities are leaked from the agent.

Host example.com    IdentityAgent $SSH_AUTH_SOCKHost *    IdentityAgent /run/user/1000/ssh-tpm-agent.sock    IdentityFile ~/.ssh/id_ecdsa.pub

License

Licensed under the MIT license. SeeLICENSE orhttp://opensource.org/licenses/MIT

[8]ページ先頭
©2009-2025 Movatter.jp